Airport Extreme update breaks IPv6 tunnels, but here’s how to fix it

The fix shouldn't be intimidating for those committed to their IPv6 tunnels.

Apple recently released firmware version 7.6.3 for its line of Airport Extreme Wi-Fi base stations. Assuming the release notes are accurate, the update barely warrants a bump after the second decimal point. The update adds the ability to extend a guest network or add a WPS-capable Wi-Fi printer, and it improves "international support." However, it does something else, too: it breaks IPv6 tunnels. But don't panic—this is easily fixed by changing a setting in the Airport Utility.

Recent versions of the AEBS can provide IPv6 connectivity to the devices connected to them in four different ways: with and without tunnels, and automatically versus configured manually. Ideally, ISPs would just provide IPv6 connectivity the same way they provide regular IPv4 service. But most ISPs aren't quite there yet. As such, those of us who want to be on the bleeding edge, Internet Protocol-wise, have to put our IPv6 packets inside IPv4 packets in order to skip over the IPv4-only part of the network. Such a connection is called a tunnel.

IPv6-in-IPv4 tunneling.

There are two main ways to tunnel. You can let the AEBS handle everything automatically, or you can configure it to send packets to a tunnel broker—which is basically an IPv6 ISP. The automatic tunneling is called 6to4. Unfortunately, 6to4 doesn't always work reliably, so OS X—and most other operating systems—try to avoid using it. But despite that, if you have 6to4 enabled on your AEBS, don't worry—the 7.6.3 update doesn't break it.

The update does, however, break manually configured tunnels. I use one of those toward Hurricane Electric's free tunnelbroker.net service, and indeed, after the upgrade my home network was IPv4-only. The AEBS reported an IPv6 tunnel error. Unfortunately, the error message in the Airport Utility didn't go into any detail about the issue. Inspection with the ifconfig command in the Terminal showed that the AEBS wasn't giving out IPv6 addresses.

Getting your IPv6 back

According to Jeroen Massar, one of the operators of the free SixXS tunnel broker service, updated AEBSs send back error messages in response to the ping packets sent by the tunnel broker to determine whether the tunnel is operational.

One way to return a tunnel to working order is to downgrade to version 7.6.1 of the Airport Extreme firmware. With the latest version of the Airport Utility (6.2, also released last week) this is done by clicking on the AEBS, then on "edit," and then hovering the mouse pointer over the version number while holding the option key. This turns the version number into a drop-down menu with access to several older firmware versions. Be careful, though: once you click on a firmware version, the process starts, and there are no opportunities to stop it.

However, there's an easier way to get your tunnel back to working order. In version 5.6 and earlier of the Airport Utility, you need to enter four items to set up a tunnel:

The remote IPv4 address

The WAN IPv6 address

The IPv6 default route

The LAN IPv6 address

The AEBS would then assume that the prefix length used on your LAN is 64, allowing for 264 addresses. In theory, a different prefix length is possible, but in practice that doesn't work very well, so this is a pretty safe assumption. But you know what they say about assuming, so in the new and improved Airport Utility, there's a new field when you go to Internet > Internet Options to find the IPv6 tunnel settings.

The new field is "IPv6 delegated prefix"—in other words, the range of IPv6 addresses that the tunnel broker has given you for use on your LAN. (Unlike with IPv4, these are bona fide public addresses, so enable the IPv6 firewall through "block incoming IPv6 connections" as desired in Network > Network Options.)

If your tunnel broker gave you a prefix in CIDR/prefix notation ending in /64, just enter that prefix in the box, click update, drink a beverage of your choice while the AEBS reboots, and all will be right with the world.

I can't test this myself because I have a /64 prefix, but I suspect that if your prefix length is not /64, things will not work right. If you have a prefix longer than /64 (i.e., 65 or higher), go complain to your tunnel broker. If your prefix is shorter, for instance, a /56 or /48, you may want to change it to /64 for consumption by the AEBS. This way, you're only using a small part of the IPv6 addresses available to you, but otherwise entering a longer prefix is not problematic.

Apparently the Airport Utility doesn't check whether the AEBS' LAN IPv6 address falls within the specified prefix, but things will probably work better if it does. Also, the IPv6 WAN address displayed below these settings is incorrect, but that doesn't seem to get in the way of anything. You can check whether your IPv6 connectivity works at test-ipv6.com.

Iljitsch van Beijnum
Iljitsch is a contributing writer at Ars Technica, where he contributes articles about network protocols as well as Apple topics. He is currently finishing his Ph.D work at the telematics department at Universidad Carlos III de Madrid (UC3M) in Spain. Emaililjitsch.vanbeijnum@arstechnica.com//Twitter@iljitsch

I'm more interested in the ability to "extend" guest networks. I'm using an AEBS at my workplace for wireless networking, but just as an access point. Does extending the network to a guest network use VLANs though? If so, I can get rid of the second, older access point we've been using for guest networking and just segregate the traffic at our switch.

I've got to do a bit of experimenting with Wireshark over the next couple of days.

Maybe they'll fix their mistake in a new firmware version, IPv6 is a silly thing to break.

Was it a mistake?

Sounds like Apple stopped making an assumption about a specific setting and instead added a field to input the setting. You just have to fill in this field for everything to work just fine. Some kind of warning probably would have been preferable, but it seems like from a functionality standpoint this is actually an improvement.

SixXS and tunnelbroker.net can provide you with a connection to the IPv6 internet. Of course at this stage, pretty much everything is reachable over IPv4 so you don't really need IPv6.

One thing that I like a lot about IPv6 is that it can make all the devices in your home reachable from the outside. For instance, I could connect to my Mac at home from my computer at work. Of course this is also possible without IPv6, but IPv6 makes it easier.

One way to return a tunnel to working order is to downgrade to version 7.6.1 of the Airport Extreme firmware. With the latest version of the Airport Utility (6.2, also released last week) this is done by clicking on the AEBS, then on "edit," and then hovering the mouse pointer over the version number while holding the option key. This turns the version number into a drop-down menu with access to several older firmware versions. Be careful, though: once you click on a firmware version, the process starts, and there are no opportunities to stop it.

I wish most of Apple's software had the ability to upgrade / downgrade software versions on a whim this easy.

iljitsch wrote:

SixXS and tunnelbroker.net can provide you with a connection to the IPv6 internet. Of course at this stage, pretty much everything is reachable over IPv4 so you don't really need IPv6.

One thing that I like a lot about IPv6 is that it can make all the devices in your home reachable from the outside. For instance, I could connect to my Mac at home from my computer at work. Of course this is also possible without IPv6, but IPv6 makes it easier.

That is not a viable reason. As like you said - I can simply activate an external access option in the AEBS Settings (on IPv4) -- before I leave the house -- and I have fiull acecss to any device I left at home that I allowed for remote access.

If you have to ask why you should use IPv6, you probably don't need to worry your pretty little head. But if you're at all interested in becoming familiar with how the Internet will work in the future, it's worth investigating, especially since there -are- ways to make use of it now, and there's nothin to lose by trying it out.

Apple introduced the delegated prefix in 7.6.1 - but the fact that 7.6.3 shows a 6to4 tunnel WAN address doesn't make me happy - and judging by the number of reports of broken Airplay and broken XBox's and other internal LAN operations - and given that Apple and Microsoft prefer IPv6 on the local LAN, I think there are more IPv6 problems in 7.6.3 than the manual tunneling.

Has anyone got the explicit IPv6 Delegated Prefix fix to work with an AEBS in PPPoE mode? I specify the prefix for my /64 tunnelbroker.net tunnel in APU 6.2, save and update the AEBS, but it comes back with the same "IPv6 Tunnel Error" error and the IPv6 Delegated Prefix box empty.

NB: my tunnelbroker.net tunnel has been working flawlessly with the AEBS in PPPoE mode for the past few years on 7.6.1 and earlier. Luckily, IPv6 service is restored by reverting to 7.6.1, but given others have had success with 7.6.3, I would like to update.

Update 20/02/2013: Tried a full factory reset, and still no joy getting 7.6.3 to accept an IPv6 Delegated Prefix. I suspect that despite Apple's acknowledgement of the issue at http://support.apple.com/kb/HT5656, PPPoE with IPv6 Tunnelling is simply broken in 7.6.3.

Update 29/06/2013: It looks like Airport Utility 6.3 was the ticket. AEBS in PPPoE mode now working with the HE tunnel once again.

Maybe they'll fix their mistake in a new firmware version, IPv6 is a silly thing to break.

Was it a mistake?

Sounds like Apple stopped making an assumption about a specific setting and instead added a field to input the setting. You just have to fill in this field for everything to work just fine. Some kind of warning probably would have been preferable, but it seems like from a functionality standpoint this is actually an improvement.

What does the Apple documentation say ? Surely there's something in the Release Notes about why they made the change ?

I've tried multiple combinations of settings, and the device just will not save the settings for me and does not explain why it doesn't like the setting.

Gone back to 7.6.1 again...

I have the same issues on an AEBS, 3rd generation. Only going back to 7.6.1 fixed the issue. The prefix field is also there, but I have the same problem: nothing I enter into the field gets saved. I don’t even have to restart the router, closing the modal panel and opening it again already shows that the prefix wasn’t changed and the field just stays empty.